Jump to content


Cerberus24

SCCM Bitlocker Policy not working for TPM only

By Cerberus24, in System Center Configuration Manager (Current Branch)

Recommended Posts

Cerberus24 Rookie

Cerberus24

Posted
Posted
On 2/2/2025 at 9:35 AM, anyweb said:

i'll double check in my https 2409 lab this evening and report back

have you verified that these devices are not targeted by any gpo from your 'old' mbam infrastructure ?

"Apologies for not seeing your reply sooner. This doesn’t apply to the current environment, as there was no previous MBAM infrastructure. However, I did decrypt the devices using the decryption policy, since the machine was imaged and BitLocker had been enabled with a weaker encryption algorithm. The decryption policy worked flawlessly, but as previously mentioned, the encryption policy is not functioning as expected. I have made sure that the targetted devices are no longer targetted by the decryption policy. 

Share this post

Link to post
Share on other sites
Cerberus24 Rookie

Cerberus24

Posted
Posted
7 hours ago, anyweb said:

@Cerberus24 

what client OS are you testing this on as a matter of interest?

I'm, happy to do a remote session to compare my lab to yours but it would be good to get more info about your setup

The endpoints are running Windows 11 24H2. The severs infrastructure for the MP and DP are running Windows server 2019 1809.

Share this post

Link to post
Share on other sites
Cerberus24 Rookie

Cerberus24

Posted
Posted (edited)

I replicated the same process on my test VM (decrypting with the policy and then re-encrypting using the policy), but for some reason, I’m encountering the same error message as I did on the other devices. Initially, I deployed the BitLocker policies in a smaller controller environment with VMs, and everything worked fine. I’m not sure what might be causing this issue now. The only difference I can think of is that the previous environment was running with self-signed certificates, whereas now it’s running with proper certificates.

- Device status before the decryption policy is deployed.

Screenshot2025-02-03at12_27_33PM.thumb.png.1ee09586264e3ab3480ca2da06c081dc.png

- Device status after the decryption policy was deployed and enforced.

Screenshot2025-02-03at3_28_17PM.png.68964edeb79af15e94f78df48a686a89.png


- Trying to re-encrypt after a successful decryption.

Screenshot2025-02-03at3_45_24PM.thumb.png.ddf1d7b9250618d60b0096005f3a8c2a.png

- BitlockerManagemetHandler.log file after encryption policy is deployed

Screenshot2025-02-03at3_50_30PM.thumb.png.5786cf0781cbf43e0f0f2a9fa5a9793b.png

- After rebooting the VM, the next console login via the MSTSC.exe client shows the following:


Screenshot2025-02-03at3_55_06PM.png.63c203115fa4e21b1a528b3209f12bd9.png

It’s important to mention that I was able to successfully encrypt and decrypt this same VM while the system was running under self-signed certificates.

 

Edited by Cerberus24

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.